ABSTRACT 


Methods and apparatus for providing an 
Anti -Flooding Flow-Control (AFFC) mechanism suitable for 
use in defending against flooding network Denial -of - 
Service (N-DoS) attacks is described. Features of the 
AFFC mechanism include (1) traffic baseline generation, 
(2) dynamic buffer management, (3) packet scheduling, and 
(4) optional early traffic regulation. Baseline 
statistics on the flow rates for flows of data 
corresponding to different classes of packets are 
generated. When a router senses congestion, it activates 
the AFFC mechanism of the present invention. Traffic 
flows are classified. Elastic traffic is examined to 
determine if it is responsive to flow control signals. 
Flows of non- responsive elastic traffic is dropped. The 
remaining flows are compared to corresponding class 
baseline flow rates. Flows exceeding the baseline flow 
rates are subject to forced flow rate reductions, e.g., 
dropping of packets. 


